- From: Keiji Takeda <keiji@sfc.keio.ac.jp>
- Date: Tue, 28 Oct 2014 04:08:51 +0900
- To: Mike West <mkwst@google.com>, Yagihashi Yu <yagihash@sfc.wide.ad.jp>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike, Period('.') is missing... > 'Hello, world' should be > 'Hello, world.' Keiji Takeda (2014/10/28 2:25), Mike West wrote: > You're right that the spec is incorrect. That said, my results don't > match yours. :) > > mini [18:24] ~ $ echo -n "alert('Hello, world');" | openssl dgst -sha256 > -binary | openssl enc -base64 > b+jOy0DlwBaNGMxhuGypbGgvtY9mVoy1LlMALqJWsoY= > > How did you end up with 'qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='? > > -mike > > -- > Mike West <mkwst@google.com <mailto:mkwst@google.com>> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > On Fri, Oct 24, 2014 at 4:52 PM, Yagihashi Yu <yagihash@sfc.wide.ad.jp > <mailto:yagihash@sfc.wide.ad.jp>> wrote: > > I noticed descriptions about source hash are inconsistent in CSP > Lv.2 Last Call Working Draft. > http://www.w3.org/TR/CSP11/ > http://www.w3.org/TR/CSP2/ > > In 4.2.5, the draft says "Let actual be the base64 encoding of the > binary digest of element’s content using the algorithm algorithm.”, > however in 7.17.2, says "For example, the SHA-256 digest of > alert('Hello, world.'); is > YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=.”. > The section 4.2.5 describe correctly according to the actual > implementation for Google Chrome. > The correct base64 encoded SHA-256 binary digest of alert(‘Hello, > world.’); is qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=. > > It’s ovbious that the former is correct, and the latter is wrong > though, this mistake is sometimes misleading. > (It mislead me actually…) > > /** > * Yu Yagihashi > * yagihash@sfc.wide.ad.jp <mailto:yagihash@sfc.wide.ad.jp> > */ > >
Received on Wednesday, 29 October 2014 21:07:01 UTC